What you need to know about Canada Revenue Agency's 'internet vulnerability' - Action News
Home WebMail Tuesday, November 26, 2024, 10:32 PM | Calgary | -6.2°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

What you need to know about Canada Revenue Agency's 'internet vulnerability'

The CRA's electronic tax filing services have been restored, but you might be wondering how the CRA got into this situation in the first place.

Has the CRA been hacked? How serious was the bug? And what's an Apache Struts 2?

Image of 2 male hands and computer wires
As far as officials know, no data was taken during a recent 'internet vulnerability' at the Canadian Revenue Agency. But CRA did identify and patch a bug that could have been used to do so. (Benoit Tessier/Reuters)

Canada Revenue Agency took its website offline over the weekend a precautionary measure, officials said, while they dealt with an unspecified "internet vulnerability."

The agency's digital services have since been restoredand government officials said no personal information was compromised.

But you may be wondering how CRA got into this situation in the first place.Here's what you need to know.

So, uh, has Canada Revenue Agency been hacked?

"Ifan organization is concerned about security, they're going to focus on patching that very quickly- Ryan Wilson, CTO of Scalar Decisions

Not as far as we know. But the department did find a vulnerability in some of its software that couldhave been used to launch an attack.

CRA said they haven't seen any evidence such an attack happened, or that data was taken, which means your personal information your SIN, your financial information, your password, your phone number, your addresses is likely safe.

Still, officials said they're undertakinga forensic examination of the affected servers.

Why take parts of the agency's website down?

CRA said the move was a preventative measure and cybersecurity expert Ryan Wilson saidthat's not unusual.

"In a lot of cases, organizations that have sensitive web applications, they'll have what's called a web application firewall, which will typically let you stop this attack before itgets to the server," said Wilson, chief technology officer for Toronto-based security company Scalar Decisions.

"For whatever reason, it looks like they were not available to do that, and their next best available option was to pull down the server and patch it."

So was this was a serious bug?

Pretty serious.If exploited, attackers could pull off something called "remote code execution," which is really just another way of saying "do whatever they want on your server" (more or less). That's bad, especially if it's a server with sensitive data or could be used to jump to another server with sensitive data.

The severity of the bug, the sensitivity of taxpayer dataand the fact that the wider security community reported the bug as being actively exploited elsewhere on the internet which officials called "a specific and credible threat" all factored into the government's decision to take the CRA's electronic filing services offline.

Wilson called the vulnerability "something that, if an organization is concerned about security, they're going to focus on patching...very quickly."

OK,but what sort of software are we talking about? Is it something I have installed on my own computer?

Probably not.By software, we mean something called Apache Struts 2. It's a bunch of code that developers use to create web applications with the Java programming language. It's open source software free for anyone to download, modifyand use.

Statistics Canada's servers were also affected and attackers even gained access for a brief period. (Baz Ratner/Reuters)

CRA uses Apache Struts in the electronic filing portions of its website, which is why those services were taken offline. The bug was found in a part of the Apache Struts 2 software that handles file uploads.

Wait, the government is using free software in important systems?

Yeah. This is actually pretty common Apache, for example, is one of the most widely used web server software packages around. Most organizations use a mix of free opensource and commercial software.

While there are "pros and cons to using commercial versus open source," Wilson said, there's "not one that's a clear winner over the other from a security standpoint."

Was CRA the only government department affected?

No. Government officials also revealed that some Statistics Canada servers were vulnerable, too and that an attacker actually gained access for a brief period of time. (It's not yet clear who wasresponsible in that case.) The affected Statistics Canada servers were then taken offline and patched, while network-based protections were put in place to block any additional attacks something Wilson saidtypically buys IT staff time to patch servers without causing too much downtime.

But for whatever reason, the government's IT department determined that the network-based protections were not working as expected, and so the decision was made to take the CRA's servers offline and patch them then and there.

So is it safe to file my taxes online?

On the one hand, no piece of software is ever 100 per cent secure something that government officials acknowledged in their Monday briefing with reporters.

On the other, officials offered the typical reassurance that "government systems are secure and reliable," and called their response "an example of the system working really well."

Wilson agreed. "I think in many ways it's a great example where an organization saw that there was risk in this vulnerability, and actually took action in a reasonable time frame to rectify the issues on their systems."